Share via

Does such a user have access to adjacent sub-resources?

Mahdi 125 Reputation points
2024-07-08T06:08:25.1033333+00:00

Hi,

I have a question about user permissions Can someone please explain me to better understand user permissions: let's say under tenant root group, I create a user1 and management-group1. Under management group1, I create a subscription1 and user2. Under subscription1, there is resource1. The following picture depicts the hierarchy.

  1. Does User1 have access to subscription1 and resource1?
  2. Does User2 have access subscription1 and resource1?

User's image

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
716 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,531 questions
Accepted answer
  1. akinbade abiola 8,450 Reputation points
    2024-07-08T06:15:53.1+00:00

    Hello Mahdi,

    Thanks for your question.

    User1 has access to all resources within the hierarchy because they belong to the Tenant Root Group (ie everything under the tenant group) but User2 has access to all resources under Management Group 1, including Subscription1 and Resource1.

    See: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources

    You can mark it 'Accept Answer' and 'Upvote' if this helped you

    Regards,

    Abiola

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deepanshukatara-6769 7,905 Reputation points
    2024-07-08T06:15:53.64+00:00

    Hi Mahdi, Welcome to MS Q&A

    Azure management groups provide a way to organize and manage access, policies, and compliance for multiple subscriptions. Within a management group, you can assign roles to users, groups, or service principals to grant permissions to manage resources within the management group and its subscriptions. When a user is assigned a role at the management group level, the access is inherited by the child management group's subscriptions. Similarly, policies set at the parent management group are also inherited by the children.

    Based on information provided:

    • User1: If User1 is assigned a role at the tenant root group or management-group1 level, this will have access to subscription1 and resource1.
    • User2: If User2 is assigned a role at the subscription1 level, this will have access to subscription1 and resource1. If User2 is assigned a role at the management-group1 level, they will also have access to subscription1 and resource1.

    References:

    Kindly accept answer if it helps

    Please let us know if you have further questions

    Thanks
    Deepanshu

    1 person found this answer helpful.
    0 comments
  2. Andreas Baumgarten 1L Reputation points MVP
    2024-07-08T06:18:02.39+00:00

    Hi @Mahdi ,

    based on your scenario described in the picture:

    Does User1 have access to subscription1 and resource1? -> Yes, based on the RBAC roles of User 1

    Does User2 have access subscription1 and resource1? -> Yes, based on the RBAC role of User 2

    The inheritance of RBAC permissions is the following:

    Tenant Root Group (MG) -> Management Group 1 (MG) -> Subscription 1 (Sub) -> Resource 1 (Res)

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards

    Andreas Baumgarten

    1 person found this answer helpful.
    0 comments